Spike Toolkit: A New DDoS Threat

About This Presentation

Title:

Description:

Number of Views:20

Slides: 11

Provided by: AkamaiAkamai

Category: Other

Tags: anti_ddos | ddos | ddos_attack | ddos_mitigation | security_operations_center

Transcript and Presenter's Notes

Title: Spike Toolkit: A New DDoS Threat

1
Spike DDoS Toolkit

2
Overview

The Spike DDoS toolkit is a Chinese botnet
toolkit discovered in 2014
Originally targeted at desktop Linux systems,
Spike may also have payloads capable of targeting
Windows
Spike has the unique ability to infect Linux ARM
systems small devices used for mobile systems
and appliances
Targeted devices include
PCs
Servers
Routers
Internet of Things (IoT devices) such as smart
thermostats and washer/dryers
Customer Premises Equipment (CPE) routing devices
Android phones and tablets

3
Toolkit Analysis

Spike has a standard command-and-control panel to
control the bots, binary payloads for infection,
and DDoS payload builders
The addition of an ARM payload suggests it may be
targeting devices such as routers and IoT
appliances
Two of the payload builders target 32 and 64-bit
Linux systems
The third, Typhoon Builder, generates a 32-bit
ARM Linux executable
Evidence of the payloads being ported to Windows
has surfaced
Author uses Mr. Black as a pseudonym
Can launch SYN, DNS, UDP, and GET floods

4
Toolkit Screenshot
5
Observed Attack

6
Attack Analysis

Spike has four types of attacks SYN, GET, UDP
and DNS floods
This assortment is fairly standard for malicious
toolkits, and includes no new attack types
Spike also claims to include an ICMP flood, but
testing has revealed it to be nonfunctional due
to poor coding
The SYN, GET, UDP, and DNS floods are implemented
simplistically, with no fundamentally new ideas
However, the multiplatform nature of its
infections allows it to build potentially massive
botnets

7
System Hardening

The multi-architecture malware code found in the
kit increases its sophistication and complexity,
requiring hardening measures for each targeted OS
and platform
PLXsert anticipates further infestation and the
expansion of this DDoS botnet
For more information, see the full threat
advisory at stateoftheinternet.com, including a
YARA rule for system hardening and a Snort rule
for DDoS mitigation

8
Conclusion

There is a rising trend in Asian botnet activity
that has targeted Linux servers primarily, but is
now diversifying to target Windows hosts,
routers, CPE and ARM-compatible Linux
distributions as well
These botnets can thereby infect more machines
and produce sizable attack campaigns
New multiplatform DDoS kits require system
administrators to thoroughly check and harden
previously safe devices
Spike does not use any new DDoS attacks what it
brings is diversity in infection
Unless there is a significant community effort,
Spike and its descendants are likely to spread
further

9
Spike DDoS Toolkit Threat Advisory

The Spike DDoS Toolkit Threat Advisory includes
DDoS mitigation details for enterprises, such as
Indicators of binary infection
Command and control panel
Toolkit variations
Bot initialization
DDoS payloads
Details of an observed attack campaign
DDoS mitigation techniques, including a SNORT
rule to stop the GET flood attack
System hardening resources
YARA rule for preventing bot infection
Download the full report for free at
www.stateoftheinternet.com/spike

10
About StateOfTheInternet.com

Write a Comment

User Comments (0)

About PowerShow.com

Spike Toolkit: A New DDoS Threat - PowerPoint PPT Presentation